CVE-2025-3152

The vulnerability is a reflected cross-site scripting (XSS) issue in ThinkOX version 1.0, specifically in the search component at /ThinkOX-master/index.php?s=/Weibo/Index/search.html. The application fails to sanitize the keywords input parameter, allowing an attacker to inject arbitrary HTML and JavaScript code [1].

An attacker can exploit this by crafting a malicious POST request containing a script payload in the keywords field. The provided proof-of-concept demonstrates sending keywords=%3Cscript%3Ealert%281%29%3C%2Fscript%3E to the vulnerable endpoint, which when processed by the server, reflects the script in the response and executes it in the victim's browser [1]. The attack can be initiated remotely without authentication, as the search functionality is publicly accessible.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's session. This could lead to session hijacking, defacement of the application, or redirection to malicious sites. The CVSS v3 base score of 3.5 reflects the low severity, likely due to the requirement for user interaction (e.g., clicking a crafted link) and the limited direct impact on confidentiality, integrity, or availability.

As of the publication date, no official patch has been released. The vendor should implement proper input validation and output encoding to mitigate the issue. Given that the exploit has been publicly disclosed, administrators of ThinkOX 1.0 installations should consider applying workarounds such as a web application firewall rule to block malicious keywords until a fix is available [1].